To a hammer, everything looks like a nail—sometimes computer forensics experts forget the simple sleuthing techniques of asking questions and observing human behavior.

A good cyber-investigator applies not only high-tech skills, but old-school gumshoe know-how. Here’s how.

As cyber-crime investigations require more and more tech-savvy, I see investigators struggling to keep their knowledge current, spending thousands of dollars on the latest information security certifications…and often, neglecting the low-tech investigative skills of simple critical thinking.

Don’t get me wrong: Having the proper certifications may open doors and position you as a expert witness in court. In fact, I have two certifications under my belt. But how useful are the techniques I learned in the training courses, in my day-to-day investigations practice?

For me, not particularly.

Sure, technical knowledge is important. But relying on the latest certification, to the detriment of old-school sleuthing skills can be harmful to your practice.

Clients don’t care about framed certificates. They care whether you can help solve their problems. And the most reliable way I’ve found to get them the information they need is to use a combination of skills—many of them, the same basic investigative techniques that I learned when I was a rookie police officer more than 15 years ago.

And if I need to use more advanced technical skills in computer and network systems for a case, I can always outsource that part of my investigations to a trusted forensic specialist or IT person whose job it is to know more than I do.

That lets me focus on what I do best: the old investigative method called, “Who, What, Where, When, Why.” This should be the foundation of any investigation—even a cyber-crime case. Remember: a computer or other digital device is simply a vehicle to committing a crime, nothing more, nothing less. The human factor is always present, and humans leave trails—virtual and real-world.

IT Guy 0; Gumshoe, 1

I recently worked a case for a client who was receiving harassing messages from an anonymous person through her business email. The client had previously contracted with an IT professional to acquire an IP address and track the person, in order to start a legal action. The IT person was unable to track a footprint or route of the email communications, and the client paid a considerable amount of money for zero information.

What did the IT professional miss? He didn’t conduct a basic investigation—he followed the digital trail but ignored the human factor.

The client called me, and within the first few minutes of our initial meeting, I had two possible individuals of interest by asking one question: “Who have you recently had issues with in your personal or business life?”

Based on that information, I conducted background checks on both people and found that one had extensive experience as a computer programmer. I discreetly met with him, and he admitted to sending a series of emails to the client.

I submitted the findings of my investigation to my client’s attorney, and a civil lawsuit was filed.

Obviously, some cases require more technical knowledge than that one did. But this case illustrates how working computer and cyber-crime investigations can be less-complicated then we think.

What’s in a name?

It seems that some investigators get very excited about printing fancy high-tech titles and qualifications on their business cards—titles like “Cyber-Sleuth,” “Cyber-Crime Investigator” or “Internet Crimes Consultant.”

I’m wary of this practice. I prefer to just call myself a private investigator who specializes in computer and cyber investigations.

If you’re an investigator wanting to specialize in high-technology investigations, I recommend that you study computer forensics and networks and acquire working knowledge of digital and electronic systems. But be judicious in how you apply designations and titles. Keep in mind that if you’re ever called on to testify in court, the first thing a defendant’s attorney will pick apart is the amount of training and experience you have in computer investigations.

If your experience it limited, state that clearly, and testify on the investigative methods you used to acquire the information in your report. Don’t claim to be an expert in a field unless you have years behind you working computer forensics cases and have documented proof of your training and experience.

Remember, our clients are targets of these crimes because of their reliance on digital systems. Having expertise in this area can be a lucrative part of your private investigations business. But don’t neglect the basic skills of deductive reasoning that are the foundation of the investigator’s art.

Keep it simple!

ABOUT THE AUTHOR:

Marco Garza is a licensed private investigator and partner with GRI Consulting Group-Investigations in San Diego, California. Marco has more than 15 years of law enforcement experience in San Diego and has worked numerous assignments from patrol to investigations. Since opening his private investigations agency in 2007, he has worked mostly civil and legal investigations and helps other private investigators with marketing strategies.